Security: refactor 'redirect_to' cookie to use 'Secure' flag (#19787)

* Refactor redirect_to cookie with secure flag in middleware * Refactor redirect_to cookie with secure flag in api/login * Refactor redirect_to cookie with secure flag in api/login_oauth * Removed the deletion of 'Set-Cookie' header to prevent logout * Removed the deletion of 'Set-Cookie' at top of api/login.go * Add HttpOnly flag on redirect_to cookies where missing * Refactor duplicated code * Add tests * Refactor cookie options * Replace local function for deleting cookie * Delete redundant calls Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
2025-02-25 18:55:37 -06:00 · 2020-01-10 14:55:30 +01:00
parent a3c99f4871
commit c5f906f472
6 changed files with 101 additions and 70 deletions
--- a/pkg/middleware/middleware.go
+++ b/pkg/middleware/middleware.go
@@ -2,7 +2,6 @@ package middleware

 import (
 	"fmt"
-	"net/http"
 	"net/url"
 	"strconv"
 	"strings"
@@ -253,20 +252,7 @@ func WriteSessionCookie(ctx *models.ReqContext, value string, maxLifetimeDays in
 		maxAge = int(maxAgeHours.Seconds())
 	}

-	ctx.Resp.Header().Del("Set-Cookie")
-	cookie := http.Cookie{
-		Name:     setting.LoginCookieName,
-		Value:    url.QueryEscape(value),
-		HttpOnly: true,
-		Path:     setting.AppSubUrl + "/",
-		Secure:   setting.CookieSecure,
-		MaxAge:   maxAge,
-	}
-	if setting.CookieSameSite != http.SameSiteDefaultMode {
-		cookie.SameSite = setting.CookieSameSite
-	}
-
-	http.SetCookie(ctx.Resp, &cookie)
+	WriteCookie(ctx.Resp, setting.LoginCookieName, url.QueryEscape(value), maxAge, newCookieOptions)
 }

 func AddDefaultResponseHeaders() macaron.Handler {